critical · CVE-2025-599442025-10-03
Cursor sensitive-file protection bypass
Affected Cursor releases used case-sensitive checks around sensitive files, enabling a prompt-injection path to modify protected configuration on case-insensitive filesystems.
Action: Update to Cursor 1.7 or later and review repository-controlled AI configuration before trust is granted.
high · CVE-2026-227082026-01-14
Cursor terminal allowlist bypass
In a non-default Auto-Run plus Allowlist configuration, shell built-ins could alter environment variables without appearing in the command allowlist.
Action: Update to Cursor 2.3 or later and avoid treating command-name allowlists as a complete execution boundary.
high · CVE-2026-248872026-02-03
Claude Code confirmation-prompt bypass
A command-parsing error could bypass the confirmation prompt and trigger an untrusted command when attacker-controlled content entered context.
Action: Update to 2.0.72 or later and keep untrusted repository content outside command-authorizing context.
high · CVE-2025-595322025-09-22
Codex workspace sandbox-boundary bypass
Affected Codex releases could treat a model-generated working directory as the sandbox writable root, bypassing the intended workspace boundary.
Action: Use Codex CLI 0.39.0 or later and IDE extension 0.4.12 or later, then verify the effective writable root before sensitive work.
high · CVE-2025-540732025-07-18
MCP package-documentation server command injection
Unsanitized package arguments reached a shell command, creating a path from tool input or indirect prompt injection to command execution.
Action: Update to 0.1.28 or later and use argument-safe process APIs rather than shell interpolation.
critical · CVE-2026-405762026-04-12
Remote MCP spreadsheet server path traversal
Affected remote deployments failed to confine file paths to the configured spreadsheet directory, allowing arbitrary file read and write operations.
Action: Update to 0.1.8 or later, bind remote services narrowly, authenticate requests, and validate resolved paths against the approved root.